Index names are getting generated as 2021.53

prajwalgmpp · March 1, 2021, 8:14am

Hi All..

The syntax for naming our indices for different applications is "application-YYYY-ww".

But we are having some indices that are getting generated as application-2021.53. And they have significant sizes too, the largest one being 37GB. So we can't ignore those indices.

Can I get an explanation on why they are getting created and how to avoid index names getting names that way?

Following is the pipeline:

> input {

>   }
> }
> filter {
>   ##a lot of application related processing
>   } else {
>       mutate {
>         add_field => { "indexprefix" => "application_name.default.%{[fields][cluster]}-" }
>       }
>       mutate {
>         lowercase => [ "indexprefix" ]
>       }
>   }
> }
> output {
>   elasticsearch {
>     hosts => []
>     ssl => true
>     cacert => '/etc/logstash/ssl/cl-root.crt'
>     manage_template => false
>     index => "%{indexprefix}%{+YYYY.ww}"
>   }
> }

Christian_Dahlqvist · March 1, 2021, 9:41am

52 weeks of 7 days gives 364 days, so some days will end up going into an index for week 53. Exactly how many days depend on how the week aligns at the start and end of the year.

prajwalgmpp · March 1, 2021, 9:42am

I thought so too. But this is happening with only one pipeline. Indices from other pipelines, although following the same naming convention are not getting generated as 2021.23

Also why 2021? Why aren't they getting named as 2020.53?

Christian_Dahlqvist · March 1, 2021, 9:44am

What is the content of the @timestamp field for those events?

prajwalgmpp · March 1, 2021, 2:18pm

Curiously, I am able to see those indices under "Index Management" but I am not able to find those indices in Discover to get their timestamp. Please advise

system · March 29, 2021, 2:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.